What needs improvement with Fortinet FortiGate?
Thanks for sharing your thoughts with the community!
They ARE leaders.
Improvement is needed in the Web Filter quotas to restrict users with allocated quotas. It would be an improvement to add a feature for active users to change/reset their own passwords. Fortinet renewal prices for all models are too high, so they should offer discounts for customers on renewal.
FortiWAN was supposed to help in doing intersite linking, but we've realized that most of the ISPs use BGP. FortiWAN supports OSPF but does not support the BGP protocol. This is a problem for us because without BGP they are not doing anything, and we've had to pack them up. I would like to see the BGP protocol supported on FortiWAN. Technical support for this solution can be improved.
I would like to have logs, monitoring, and reporting for a month without extra fees.
The Web-filter in this solution is not very good. Perhaps because Fortinet does not want to compete with its own dedicated solution.
FortiOS is not simple. Too many people think it should be simple to use, but the complexity of the product makes that impossible.
This product could be improved with active directory integration and better handling in IPsec and GRE Tunnels. There are not enough recent online materials to assist in integration with Cisco for VPN, GRE, and IPSec.
I use the FortiGate 60D model and realized the 300Mbps bandwidth limitation. Because it is a product that offers many services, I think it could have greater bandwidth capacity.
The reporting needs to be improved. Also, the VPN (Virtual private network) monitoring needs improvement. Beyond these improvements, I cannot think of any additional features that I would like.
It is mainly our own application of FortiGate that we need to improve. If you compare FortiGate to any other products, all of the other products have more signatures. I couldn't find that many signatures available in the application. Some features of Fortinet FortiGate are actually fee enabled that are inconvenient for deploying in production. Other issues relate to isolation with Cisco products and your server. Fortinet should make it so that we are not able to use analytics from Cisco at the same time that FortiGate is installed. We are not able to do real-time network monitoring. For the next release, FortiGate should be improved to support these issues. For the setup, you need to prepare a lot for that before engaging the deployment. I learned a lot about FortiGate from books. That should be important in preparation. Fortinet should implement these changes, then we would be able to do more.
The monitoring and the visibility, in this proxy, is very weak. I would for them to develop better visibility, monitoring, and reporting.
They should improve the interface to make it more user-friendly. I would like to see some sort of reporting if there was an issue with the connecting network sources or connections.
Fortinet needs more memory to save the log files (like in the 101E, the old product). We need it to save the logs on the hardware and not in the cloud. I know this feature is available in FortiCloud, but if we need to log locally, it is not available. Also, the log only records a little time and needs to be longer.
The Fortinet FortiGate firewall has been improved with many new functions. Fortinet is working to develop a new generation of firewalls with better security. Fortinet already improved FortiGate, but in the current market, many brands of security devices have improved together. Fortinet still needs to catch up with market standards. Fortinet is lacking in features in comparison to competitors.
The FortiGate reporting system needs to be more detailed about files. Palo Alto Networks is more detailed in the reporting system than Fortinet. Currently, as for our security, we don't need more. The main reporting in Palo Alto Networks is much more developed than Fortinet, especially in the part of the file exchange. As a security lead, I think Fortinet FortiGate is much more reliable than Palo Alto Networks.
Flexibility is questionable when it comes to the hardware parts. If Fortinet can make FortiGate modular so that you can actually upgrade it without changing the parts, I would prefer it. If Fortinet FortiGate could actually integrate with the hybrid cloud architecture without changing the storage parts, i.e. the hardware, it would be better.
FortiGate is a complete solution, but it is very expensive compared with other solutions. Then actually, we are analyzing other solutions.
We have many users currently with this solution. One issue that I have had is that sometimes I need to monitor the traffic, so I need to filter it according to the user and which user is using it the most. I experience a bottleneck most of the time, particularly at peak time when the number of contracts and users are at maximum. We feel a kind of bottleneck. When I first entered the log section, I could not find any results. I did not find any proof, i.e. reporting and analytics on the speed and network availability were not optimized. I could not find any such log from the server, maybe Fortinet could improve this service.
Fortinet could improve the windows opener or the virtual IP solutions for opening windows. The virtual IP settings need improvement as firewalls are trending in new development directions.
Some of the filtering is not robust, you can escape it with a VPN. Some of the users bypass some of the filters. It catches some but it also misses some, that area could be improved. It's functioning reasonably but there's room for improvement in that area. There is a feature that Palo Alto has called Traps. It helps to prevent attacks on the system. A feature similar to this would be worth adding.
The main aspect of FortiGate that could be improved is load balancing. Our management team does not want to buy another appliance for only load balancing. The network routing with Fortinet FortiGate can be an issue, but it generally depends on the size of the company.
I recently saw the new updates that are coming, such as the ability to quarantine a user's machine. Once done, you have the ability to connect to it from the FortiManager Console and you can bring it back online, out of quarantine. This is all very good news. One of the areas that I feel need improvement is on the DLP (Data Leak Prevention) side of things. Compared to some other products, the DLP is not at par for the moment. Also, if in the next few years this solution can be made to support HE between models, it would be better. I feel that improvements can be made on the security side. Sometimes the product does a good job, but sometimes not.
They need to improve their technical support.
Since we are in the initial stages of implementation I can't suggest any additional features for the next release. At this point, I really need more time to evaluate the tool. The only thing I can recommend at this time is to make improvements for the user end when the user website is running slowly; the speed can definitely be improved. There is room to include IP wise and net-wise and bandwidth settings.
They should make the rule sets more understandable for the end user. When you're trying to explain to somebody how a computer network is secured, sometimes it's difficult for an end user or customer to understand. If there was a way to make the terminology more accessible to the end user, the set up could be easier. They should translate the technical jargon to an easily relatable and understandable conversation for the end user, the customer. Particularly in an environment where the IT structure is audited regularly, there's always pressure from the auditor to up the standards and up the security and you get your USCERT's that come out and there's a warning about this and the customer will want to lock out so much so when you apply it they run into issue where they can't search the internet or print to their remote office. Of course they can't print to their remote office, they just locked it up. They should make the language more understandable for the customer. If there's a product out there that made the jargon understandable to John Q. Public, I would buy that. There's a link off of the reports that you can click and make suggestions, which is pretty awesome because it seems like somebody is reading those and doing something about it. If I could save reports on a format where I could save space and not have to reprint them and move information down from letterheads and that sort of stuff that would be great. Formatting reports is the only thing I would change about that product right now.
The UTM filtering control could be improved.
We had a minor problem where there was a major system upgrade on the hardware platform and the Apple Mac client was not available as soon as it might have been. The PC client was available immediately, but we had to wait a month or so, before there was a Apple Mac client. I was slightly irritated that it was not ready on time, but it was eventually resolved.
The speed of synchronization between FortiManager and FortiGate could be improved, but that could be because we host them in Azure.
I think they need to improve more in order to be a competitor with the leaders of the field.
The web-cache feature which was previously on the FortiGate device, but was deleted with the recent upgrade, should be returned. It was a very valuable feature for us.
There could be more integration between the logging and analytical platforms to make it more seamless and integrated.
A couple of things I've seen that need improvement, especially in terms of a hard coding. The driver-level active moment really is out-of-the-box and we have to have contact the customer support and sometimes it is difficult to resolve. My only solution would be please don't make it as a closed source. Don't make it as a closed source. Give some kind of a power to the user so that they can consider it according to their determine that it should have some flexibility on concurrent connections not be restricted. I agree that to some concurrent connections the CPU and the box may be a lower model and it need some higher scale level with this. But, there should be a provision. There should be a provision to go to at least to 60-70% onto the threshold to go beyond the designed capacity of something. Like we call it as a design capacity, and since 70% addition to the 100% of it.
The UI could be improved.
I would like to see more advanced developments of a wireless controller in the future.
The room for improvement is about the global delivery time period. Usually I need to wait for almost one month to deliver it overseas. So if you can shorten the deliver time it would be great.
I think the only issue that needs improvement is the interface.
I am looking to implement key authentication for admin access for the Fortinet product.
It could use more templates for third-party site-to-site VPN setups other than FortiGate and Cisco.
There are problems with the custom reporting of the unique traffic. The data is there, but it is too difficult for us to extract.
The reports are very basic.
They need faster serviceability and more security features.
WAN load-balancing could be a lot better at detecting when a link is poor or inconsistent, and not just flat out dead. There are lots of options for routing traffic over a specific path when you have WAN load-balancing enabled, but they are not as clear and consistent as they could be, and most can only be set at the CLI. Some configuration elements cannot be easily altered once created. For instance, there is no way to rename an interface (say, for a VPN tunnel), unless you create an entirely new one and perform a little gymnastics to switch from one to the other. Or, you export the config, rename the elements in question, then re-import the entire config. Creating a meshed VPN connection (Office A with two WAN links connecting to Office B with two WAN links) requires a massive bundle of four IPsec interfaces, with two policies. It would be nice to have a cleaner, simpler config for that functionality, something not very uncommon today. I have found that if you have a console cable in the device when you reboot it for a disk check, it will boot to the device firmware. This will not happen for a regular reboot. If you have more than a very basic environment, you quickly have to escalate past the first level of support. The initial level is so-so. The next level up has been stellar for me, and quick to figure out issues and resolve them.
After four years it has started to fail. The firewall engine is not so strong as of now, in my opinion. For that reason, we want to migrate to Check Point. This is one of the concerns that I have right now. My second concern is that, while they have Zero-day vulnerability and anti-malware features, the threat engine needs to be strengthened, its efficiency can be increased. I also need user-behavior analytics, to find threat scenarios from inside the organization, insider attacks. That would be very helpful for us. In addition, I would like next-generation features for small and medium businesses. These businesses require UTM, all in one product. Fortinet must include it.
It should come integrated or have its own type of network monitor tool in a module. There should just be one package, and you are good to go.
At first glance, the interface for the device is very confusing. However, every version is getting better.
One area for improvement is the performance on the bandwidth demands for smaller devices, as well as better web filtering.
* It needs more available central management. * It could use better throughput on some of the smaller boxes for the branch offices.
I have only one request and that is to have Fortinet as a market download in Azure.
For me, at this time, it's very complete.
I would like to be able to do segmentation, for a specific user, with more priveledges. I would also like to see an easier user interface to implement that.
Cisco Meraki products are rising very quickly in the cloud and the connected era. Meraki products are future proof and offer much better ROI, upgradability, and manageability. IT is continuously evolving, and every few days or months, there is something new. Whoever evolves first will take the lead over the competition. Adopting and evolving is the key to success.
One area for improvement is the performance on bandwidth demands for smaller devices, as well as better web filtering. Each manufacturer has their own way of filtering and each one needs improvement in categories, URL, and/or application filtering.
It needs to improve its ISP load balancing.
Reporting is limited to providing an external appliance for improving the reporting capabilities of the FortiAnalyzer. It does not offer a central management and is also sold separably as an appliance.
I think there could be more QoS features in GUI. FortiGate has Traffic Shaping that is enough in most cases, but sometimes I just need 802.1p prioritizing (Class of Service) and manual queue assignment. Also a few ports supporting native vlan while in trunk mode would be very helpful in some cases.
I would like to see improvements made to the dashboard and UI, as well as to the reporting. I would also like them to consider offering more predefined security templates.